Struggling to Recover From a Cyberattack

Darren Dahl, The New York Times

Thursday, 23 Aug 2012 | 3:18 PM ETThe New York Times

SHARES

Laurence Dutton | The Image Bank | Getty Images

In 2006, Peter Justen, a serial entrepreneur, founded MyBizHomepage, an online service that connected to companies’ QuickBooks accounting software to help business owners monitor their financial metrics. When the site went live in 2008, it attracted significant media attention. It was free to use and the company planned to make money through advertising, a recipe that appealed to Mr. Justen’s investors, who valued the company at $100 million based on the vast potential they perceived.

THE CHALLENGE Rebuilding. After Mr. Justen fired his chief technology officer, strange things started happening at MyBizHomepage, including a series of cyberattacks that brought down the company’s software. (Read more: A Company Turning Problems Into Profits.)

THE BACKGROUND Mr. Justen started MyBizHomepage in Middleburg, Va., five years after he and his co-founders had sold Pace Financial Network to TD Ameritrade, the online brokerage firm. Looking for a new challenge, Mr. Justen, a self-described numbers guy, began researching whether there was a need among small-business owners for help in understanding the financial ratios that drive their companies. He quickly determined there was. He also knew that lots of small businesses used QuickBooks to run their financials. “My idea,” Mr. Justen said, “was to simplify things for business owners to give them an easy way to see the problems and opportunities in the numbers of their business.”

Mr. Justen and a team of programmers spent the next two years working on the prototype for MyBizHomepage, which would use a series of algorithms to analyze data culled from QuickBooks and create financial performance indicators that would be displayed as a financial dashboard for each business. One popular feature, for example, monitored a company’s accounts-receivable balance. When the balance exceeded a set threshold, the software would send an alert. “The idea was that by checking in on their key numbers every day, a business owner could see where he was headed,” Mr. Justen said.

To help fuel the company’s growth, Mr. Justen turned to several investors to raise capital. They included Joe Silbaugh, a real estate developer, and Bryan Elicker, a friend of Mr. Silbaugh’s who sold a coffin company in 2007. In 2008, Mr. Justen and his investors, who also served on his board, faced an interesting decision: They had a tentative offer to sell the company for a price close to their own valuation. But Mr. Justen and his board decided not to sell. “We hadn’t yet tapped the potential of the product, especially among a global audience,” he said, noting that the company had barely 6,000 customers using the system at the time.

Apparently the decision not to sell did not sit well with the company’s chief technology officer. Mr. Justen said he was soon told that the officer, a longtime associate, had teamed up with two other senior officers in the company in an effort to start a competing company. Mr. Justen said he learned of the new venture from one of his investors who had been approached about joining the group. Furious, Mr. Justen fired the chief technology officer and his cohort, and instructed his lawyer to send them a cease-and-desist letter. That was when the real trouble began. After Mr. Justen fired his chief technology officer, the MyBizHomepage began to crash regularly. Mr. Justen and his board members also found that someone had hacked into their personal e-mail and Facebook accounts and had begun sending people on their contact list messages impugning the ethics of Mr. Justen and the board members. The messages claimed that MyBizHomepage was defrauding investors, a claim that was repeated on several Web sites. “It hurts your reputation when someone Googles your name and finds that,” said Mr. Silbaugh, who had invested more than $1 million in MyBizHomepage.

When Mr. Justen contacted authorities about the attacks and explained what he thought was happening, he said he learned something else about his former chief technology officer: there was little, if any, official proof that he existed. Mr. Justen said he knew that the officer was unusual, that he had been arrested on an outstanding warrant after being pulled over on suspicion of driving with a fake license plate. But Mr. Justen said he did not realize that the chief technology officer had no official identity: no driver’s license, no credit cards, no tax returns. The chief technology officer apparently had been living off the grid, which made tracking him down almost impossible even with the help of the authorities.

Mr. Justen said he concluded that the chief technology officer had built multiple “backdoor” entrances into the MyBizHomepage software and had compromised the company’s backup data. It became clear that the site would need to be shut down indefinitely, essentially putting the company out of business.

THE OPTIONS Given the security breaches and the destruction of the backup copies of the code, Mr. Justen said he knew that he would have to start from scratch if he wanted the company to continue. But he was reluctant to go back to his original investors for more money, and he knew he would have a hard time raising capital after the 2008 credit crisis. He considered having the company declare bankruptcy, but he knew that meant his investors would lose everything.

He also struggled with how public to make what had happened, particularly given that his customers had trusted him with delicate information. They might not be eager to re-enlist, knowing the service had been hacked by an insider. While he had been working with authorities to track down his former chief technology officer, Mr. Justen also considered his legal options if the officer were located.

Finally, Mr. Justen, who had a family to support, considered simply shutting the doors to the business and walking away for good.

and columnist for Inc. magazine in New York City: “Mr. Justen should focus on restructuring or starting a new company using his intellectual property. Bankruptcy won’t help. His only asset is his software, which they will just auction off and sell to the highest bidder. He should also be honest about how he played a role in what went wrong. Why didn’t he run a background check on his C.T.O.? And why did he fire him without first putting a plan in place to protect the software? He can’t afford to make those mistakes again. I always say you should trust everyone but also keep your eyes open.”

Mark Davis, senior director at the White House Writers Group, a consulting company in Washington, and the co-author of “Digital Assassination,” a book on cyberterrorism: “Mr. Justen has no choice but to go public with an apology and an explanation. He should put up a YouTube video explaining what happened and what action steps they are taking to rectify the situation.”

Joy R. Butler, a business and entertainment lawyer in Washington who wrote “The Cyber Citizen’s Guide Through the Legal Jungle”: “Mr. Justen and his company have limited legal options going forward unless they can locate the C.T.O. The company might then seek redress by suing for breach of any noncompete or confidentiality provisions that may have been in the former C.T.O.’s employment agreement.”

John Mutch, chief executive of BeyondTrust, a global provider of security software: “Unfortunately for Mr. Justen, he probably needed to lock the system down before firing his C.T.O. If he decides to go forward, he should consider building role-based security around his company’s critical assets that limits who can access what.”

THE RESULTS Offer your thoughts on Mr. Justen’s decision on the You’re the Boss blog at nytimes.com/boss. Next week, on the blog and in this space, we will explain how the company is doing.